Granting Access Without Ssh Authentication - HP NonStop SSH 544701-014 Reference Manual

This assumes that TELSERV is listening on port 23 for the same TCPIP process as SSH2. To forward shell requests to a
TELSERV listening on a different port or address, specify CI-PROGRAM as follows:
%ALTER USER telnetuser, CI-PROGRAM "telnet 192.2.3.4 4023"
Similarly, the SHELL-PROGRAM attribute can be prepared as follows (an example using an IPv6 address):
ALTER USER test, SHELL-PROGRAM "telnet fe80::a00:8eff:fe02:69d9 5023"
6530 shell users (e.g. when connecting a 6530 session over the MR-Win6530 SSH interface) will see the standard
TELSERV service menu after the connection is established.
Note: Although TELNET is specified as CI-PROGRAM, SSH2 will not invoke the TELNET program on a STN 6530
pseudo terminal. To provide optimal performance, SSH2 will directly establish a socket connection to the target
TELSERV process, which will provide the 6530 terminal device for the session.

Granting Access without SSH Authentication

Under certain circumstances, it is desirable to grant access to specific services without forcing the remote SSH user to
authenticate. For example, some services being delivered via SSH may perform their own user authentication. To avoid
making users have to enter their credentials twice, the authentication usually performed over the SSH protocol can be
turned off. Even without SSH authentication, the connection is still encrypted, protecting any passwords and data
transmitted during the service's execution.
CAUTION: When granting unauthenticated SSH access to a resource that performs its own authentication, the user's
privileges should be properly locked to prevent unauthorized access to any other resources.
For access without authentication, the SSH2 SERVER can be configured so the authentication method "none" is an
ALLOWED-AUTHENTICATION for a user.
The following SSHCOM commands show how to set up a logical user who only authenticates through the
SAFEGUARD LOGON program:
>RUN SSHCOM $SSH01
T9000B03_02DEC2009_SSHCOM
OPEN $ssh01
% ADD USER safeguarduser, ALLOWED-AUTHENTICATION (none), &
% SYSTEM-USER *none*, CI-PROGRAM $SYSTEM.SYSTEM.LOGON, &
% ALLOW-SHELL NO, ALLOWED-SUBSYSTEMS (), ALLOW-TCP-FORWARDING NO
OK, user safeguarduser added.
%
In the example above, "safeguarduser" does not require an individual SSH authentication. In this case, the user name
serves as a logical service that provides system access via the SAFEGUARD logon program. This service can be shared
by multiple individual users. After the session is established, the SAFEGUARD logon program performs user
authentication.
Please note that additional attributes limit the access rights of the user to the SAFEGUARD logon program only.
The following SSHCOM commands show how to set up a logical user who is only authenticated with the services started
by the STN PTY server:
>RUN SSHCOM $SSH01
T9000B03_02DEC2009_SSHCOM
OPEN $ssh01
% ADD USER serviceuser, ALLOWED-AUTHENTICATION (none), &
% SYSTEM-USER *NONE*, CI-PROGRAM *MENU*, &
% ALLOW-SHELL NO, ALLOWED-SUBSYTEMS (), ALLOW-TCP-FORWARDING NO
OK, user serviceuser added.
%
HP NonStop SSH Reference Manual
Configuring and Running SSH2 • 115